1. International E-Discovery: Data
Protection, Privacy, & Cross-Border
Issues
Quentin Archer, HoganLovells LLP
Chris Dale, eDisclosure Information Project
M. James Daley, Daley & Fey LLP
Dominic Jaar, KPMG-Canada
Patrick J. Burke, Guidance Software
2. Dominic Jaar
KPMG Canada
djaar@kpmg.ca
• Partner & National Leader, eDiscovery, FTech and Information Management Services
•The Sedona Conference
WG7 editorial board member
WG1 and 6 member
Past
•CEO, Canadian Centre for Court Technology
•Founder, Ledjit Consulting
•In-house counsel, Bell Canada
•Litigator, Borden Ladner Gervais
2
3. Chris Dale
eDisclosure Information Project
chrisdaleoxford@gmail.com
Carrying information about e-discovery between courts,
lawyers, clients and providers.
3
4. Quentin Archer
Hogan Lovells International LLP
quentin.archer@hoganlovells.com
Immediate Past Co-Chair, The Sedona Conference® Working
Group on International E-Discovery
Partner in the London office of Hogan Lovells International LLP
Specialist for last 25 years in IT, data privacy and e-commerce,
with particular emphasis on international data transfers
4
5. M. James Daley, Esq., CIPP
Daley & Fey LLP
jdaley@daleylegal.com
Charter Member and Immediate Past Co-Chair, The Sedona Conference®
Working Group on International E-Discovery (2005-2011)
Technologist – Masters in Management of Information Systems
Certified Information Privacy Professional (CIPP/US) -- IAPP
Senior Editor, The Sedona Conference® International Principles on Discovery,
Disclosure and Data Protection (2011)
Co-Editor-in Chief, The Sedona Conference® Framework for Analysis of Cross-
Border Discovery Conflicts (2008)
5
6. Patrick Burke
Senior Director & Assistant General Counsel
Guidance Software, Inc.
patrick.burke@guidancesoftware.com
• Patrick performs in-house legal functions and works with corporate law departments
of other companies in the U.S., Europe and Canada to advise them with respect to
the implementation of defensible in-house e-discovery processes.
• He serves on the Sedona Conference® Working Group 6 on International Electronic
Information Management, Discovery & Disclosure, and speaks regularly at legal
conferences on topics including e-discovery law and best practices, privacy, European
data protection, digital evidence and cybersecurity.
• He is an Adjunct Professor at Cardozo School of Law in New York City, where he
teaches the e-discovery class.
6
7. Overview of Global Discovery
•Discovery of documents and electronic information abroad
is an increasingly important part of litigation
•Problems with foreign discovery are driven by
fundamental differences in legal systems and privacy/data
protection laws
•U.S. courts are frequently unfamiliar with, or are
dismissive of foreign restrictions on cross-border discovery
8. Differing notions of privacy
Privacy is a fundamental right in much of the world
Definitions of personal data subject to privacy
protection outside the U.S. are extremely broad
Privacy protections in the U.S. are industry specific
Personal data subject to protection is limited to
specific categories (e.g., Social Security
numbers, medical information, banking data)
9. Differing Notions of Discovery
Common law: expansive pre-trial discovery conducted by
the parties with judicial supervision as needed to resolve
disputes or manage court calendar
U.S.
Canada
U.K.
10. The concept of discovery
• Most EU countries do not have a discovery process in
their civil procedure
• Cases are decided primarily on the basis of documents
submitted by the parties and oral evidence
• Often this can lead to a cheaper and quicker result
• But it may also lead to a suspicion of "foreign" court
orders and document requests
Page 10
11. Data Protection, Privacy, Cross-Border
Distinguish between:
Common Law countries with a discovery tradition
England and Wales, Northern Ireland,
Scotland, Ireland
USA
Australia, Canada, Australia, Singapore, Hong
Kong, New Zealand, India, Malaysia
Civil Law countries with no discovery tradition
Most of mainland Europe, former USSR,
China, Japan, South America, most of Africa
Other Mixed Jurisdiction, Sharia, Customary Law
Page 11
12. Data Protection, Privacy, Cross-Border
UK, GB, E&W, EU
United Kingdom
England, Scotland, Wales, Northern Ireland
Great Britain
England, Scotland, Wales
England and Wales
Legal Jurisdiction
European Union
Economic and political partnership between 27 European countries
Page 12
13. The Hague Convention
Hague Convention on the Taking of Evidence Abroad
(1972)
An attempt at compromise: a uniform procedure for
collection of evidence between common law and
civil law jurisdictions.
Letters of request (“rogatory”) issue from court in
one nation to designated central authority (often a
court) in another, requesting assistance in
obtaining information
14. Blocking statutes
Intended as shields to protect national sovereignty:
Statutes which restrict cross-border discovery of
information intended for use in foreign judicial
proceedings
Not limited to civil law jurisdictions (Australia and
Canada have blocking statutes)
May be general (France and Venezuela) or industry-
specific (e.g., Switzerland re banking information)
15. Blocking Statutes
Contrary to certain U.S. and U.K. judicial decisions,
blocking statutes can have severe consequences
Venezuela: In Lynondell-Citgo Refining LP v.
Petroleos de Venezuela, defendant accepted an
adverse inference instruction rather than turn over
board minutes and related documents
France: In re Christopher X: French Supreme Court
affirmed a criminal conviction for speaking to a
potential witness about a U.S. lawsuit
16. Cross-Border Regulations
E.U. Data Protection Directive (95/46)
States should implement laws to restrict all manner of “processing” of
“personal data”
Prohibits transfer of personal data outside the E.U.
▫ Exception: the country to which it is transferred provides “adequate
protection” of personal data (E.U. Directive Article 25)
Countries who meet the E.U. “Adequate Protection” standard
▫ Canada
▫ Argentina
▫ Switzerland
▫ Israel
17. Personal Data
Broad Definition of “Personal Data” under the
EU Data Protection Directive:
• Any information that can be used directly or
indirectly to identify and individual (e.g., the
name of the sender or recipient(s) of an email.
18. Personal Data
Potential narrowing of the definition of “Personal Data” in
U.K.
Durant v. Financial Services Authority, Court of Appeal
(Civil Division), 2003: “Only information that names
(the individual) or refers to him” qualifies for protection
under the Directives and U.K. enabling laws
Court described its holding as a “a narrow interpretation
of personal data” and is not universally followed
19. Additional EU Directive Terms
“Data Subject” is usually an individual and sometimes an
employee of a “Data Controller/Employer. However in Italy,
a corporate entity can be a Data Subject as well
“Data Processing” is any Handling of Personal Data outside
the normal use
Preservation (litigation hold) may be considered processing if it
involves manipulation of data, such as moving data to a secure
server or even preserving in place
“Discovery” in U.S. = “Disclosure” in Civil Law Jurisdictions
20. EU Data Protection Directive
Rule: Any transfer of personal data to a third party requires
justification and – in case of countries outside EEA –
additional safeguards
Statutory Exceptions (Derogations):
“Transfer necessary to safeguard legitimate interests of parties to
litigation and no overriding interests of affected individuals”
“Transfer necessary for exercise or defence of legal claims in court”
Transmission may require notification/permission of local Data
Protection Agencies
21. New EU Data Protection Regulation
•Adopted by EU Commission on 1/25/12
•Must be ratified by Council of Europe and
European Parliament – 2 to 3 year process
•Objectives: greater uniformity of data protection
efforts among EU member states; and centralization
of authority (“one stop shop”) for data protection
issues for multinational corporations
22. New EU Data Protection Regulation
•Single data protection authority for multinationals
•Significant restriction of employee consent for data processing
•Elimination of current processing notification requirements
•Data protection officer if more than 250 global employees
•“Right to be forgotten” and “Privacy by Design” requirements
•Notification of data security breaches to regulators and persons;
•Simplified procedures for transferring personal data outside EU
•Increased independence and power for DPAs
•Data protection violation fines -- up to 2 percent of a company’s global annual
income
23. Attitude of the courts and regulators
• Instinctive resort to the "safe" but limited procedures
available in instruments such as Hague Convention
• But Hague Convention rarely used
• Blocking statutes of different kinds exist in several
countries
• Data protection laws present a more comprehensive
block
• But there is disagreement within the EU over the scope of
protection
• Durant – v – FSA, UK Court of Appeal, 2003
Page 23
24. Article 29 Working Party
• Group established by the 1995 Data Protection Directive
• Has engaged with Sedona Conference
• In 2009 issued Working Document on pre-Trial Discovery
(WP158)
• Fairly conservative analysis of the subject
• But conceded that transfers of personal data to the US for
litigation purposes were permissible subject to safeguards
including:
• Assessment of relevance should be carried out in EU
• Only data actually necessary for claims or defences
should be transferred
Page 24
25. The Sedona Conference
• Framework for Analysis of Cross-border Discovery
Conflicts published 2008
• International Principles and Best Practices on Discovery,
Disclosure & Data Protection published December 2011
• Has encouraged a dialogue between EU regulators and
the US judiciary, with high-level input on both sides
• Fundamental principles are that personal data should be
restricted to the level necessary to resolve the issues in
the case, and that further disclosure should be subject to
the terms of a protective order
Page 25
26. Latin American Privacy Laws
Based on Constitutional Right of “Habeas Data”
(i.e.,“You have the Data):
Brazil – 1988
Paraguay
Peru
Argentina
Costa Rica
Mexico
27. Evolution of International Privacy Law
Region Adopted/Considering Summary
Mexico Released draft privacy regulations that • Applies to controllers handling “sensitive personal
work with existing data protection law data”
• Restricts int’l transfer
Russia Amended privacy law, “On personal • Strict privacy stance
data” • Permits uninhibited transfer to EU
• Empowers a special agency to determine data
security adequacy
China Released “Provisions on the • Framed around “Internet Information Service
Administration of Internet Information Providers” (IISPs)
Services” • Restricts IISP’s conduct in various ways
28. Global E-Discovery
Country Summary and recent developments
Hong Kong (Common • Special Administrative Region (SAR)
Law) • Uses traditional English discovery law
• Hong Kong International Arbitration Center
China • Transferring state secrets out of country is strictly protected
(Civil Law)
Singapore (Common Law) • Have passed an “opt-in” e-discovery system, but seldom used in litigation
• No dedicated data protection or privacy legislation, though some is currently being discussed
• Singapore International Arbitration Centre
South Korea • Blocking Statute that applies to cross-border transfers for purpose of foreign litigation
Japan • Japan Privacy Act permits the conditional transfer of personal information from a corporate entity to a
(Civil Law) third party; e-discovery still evolving
29. Global E-Discovery
Country Law Summary
Canada Ontario Rules of Civil Procedure • Directly calls counsel to implement discovery plan that
incorporates how to handle production of ESI
• Makes an explicit call for cooperation and meet and confer
• Requires counsel to confer with the Sedona Canada
Principles
Australia Practice Note CM 6 • Courts may order electronic format production where “the
use of technology… will help facilitate the quick,
inexpensive and efficient resolution of the matter”
• Pre-discovery and pre-trial checklists; places an
expectation on counsel that they have considered the
issues in the list, and are in a position to inform the
court on how they will be addressed
31. Privacy acts and blocking statutes
Federal Quebec
Foreign Extraterritorial Measures Act Chapter F-29 Business Concerns Records Act
R.S.Q., chapter D-12
Personal Information Protection and Electronic Charter of Human Rights and Freedom R.S.Q., chapter C-12
Documents Act (PIPEDA) 2000 c.5
Privacy Act Civil Code of Quebec
L.Q., 1991, c. 64
Chapter P-21
Act Respecting the Protection of Personal
Information in the Private Sector R.S.Q., chapter P-39.1
Act to Establish a Legal Framework for
Information Technology
R.S.Q., chapter C-1.1
31
32. Business Concerns Act
R.S.Q., chapter D-12
2. Subject to section 3, no person shall, pursuant to or under any requirement issued by any legislative, judicial or
administrative authority outside Québec, remove or cause to be removed, or send or cause to be sent, from any place in Québec
to a place outside Québec, any document or résumé or digest of any document relating to any concern.
Exceptions:
3. The prohibition enacted in section 2 shall not apply in the case of the removal or sending of a document out of
Québec
(a) by an agency, branch, company or firm carrying on business in Québec, to a principal, head office, affiliated company or firm,
agency or branch situated outside Québec, in the ordinary course of their business;
(b) by or on behalf of a company or person, as defined by the Securities Act, (chapter V-1) carrying on business in Québec, to a
territory subject to another political jurisdiction in which the sale of the securities of such company or person has been authorized;
(c) by or on behalf of any such company or person carrying on business in Québec as a broker, security issuer or salesman
within the meaning of the Securities Act, to a territory subject to another political jurisdiction in which any such company or person
has been registered or is otherwise authorized to carry on business as broker, security issuer or salesman, as the case may be;
(d) whenever such removal or sending is authorized by any law of Québec or of the Parliament of Canada, in accordance with
their respective jurisdictions.
32
33. Act Respecting the Protection of Personal Information in the Private Sector
R.S.Q., chapter P-39.1
5. Any person collecting personal information to establish a file on another person or to record personal information in such a file may collect
only the information necessary for the object of the file.
8. A person who collects personal information from the person concerned must, when establishing a file on that person, inform him
1) of the object of the file;
2) of the use which will be made of the information and the categories of persons who will have access to it within the
enterprise;
3) of the place where the file will be kept and of the rights of access and rectification. […]
12. Once the object of a file has been achieved, no information contained in it may be used otherwise than with the consent of the person
concerned, subject to the time limit prescribed by law or by a retention schedule established by government regulation.
13. No person may communicate to a third person the personal information contained in a file he holds on another person, or use it for
purposes not relevant to the object of the file, unless the person concerned consents thereto or such communication or use is provided for by
this Act.
14. Consent to the collection, communication or use of personal information must be manifest, free, and enlightened, and must be given for
specific purposes. Such consent is valid only for the length of time needed to achieve the purposes for which it was requested.
33
34. Data Protection, Privacy, Cross-Border
US Contra Mundum
• Collision between US Discovery and everyone else
• Overbroad even before privacy and data protection
considerations
• Aérospatiale, Hague Convention v FRCP
• Comity analysis supposed to balance competing
interests
• Good faith and hardship of compliance
Page 34
35. Data Protection, Privacy, Cross-Border
Aerospatial Comity Analysis
(1) the importance to the . . . litigation of the documents or other information requested
(2) the degree of specificity of the request
(3) whether the information originated in the United States
(4) the availability of alternative means of securing the information
(5) the extent to which noncompliance with the request would undermine important
interests of the United States, or compliance with the request would undermine
important interests of the state where the information is located
Restatement (Third) of Foreign Relations Law
of the United States
Page 35
36. Data Protection, Privacy, Cross-Border
Collision
“There’s going to be a train-
wreck”
Browning Marean
Page 36
37. Data Protection, Privacy, Cross-Border
The Components
Article 29 of EU Directive 95/46/EC
+
Individual State implementations
v
Restatement (Third) of Foreign Relations Law of the United States
+
Aerospatiale
Page 37
39. Data Protection, Privacy, Cross-Border
Whoever heard of limiting the scope of Discovery?
Discovery limited in scope
=
Intelligent appraisal of issues – what do we really need?
+
Protective Order
+
Technology to identify and filter quickly
Page 39
40. Data Protection, Privacy, Cross-Border
Assymetry and Compromise
• "[m]utual knowledge of all the relevant facts gathered by both
parties is essential to proper litigation." Hickman v. Taylor (1947)
• Competition on uneven terms if one party subject to less onerous
discovery.
• If you take advantage of US trade, then you must accept its rules
BUT
• Compromise is necessary if EU laws are not to be simply ignored
Page 40
41. Data Protection, Privacy, Cross-Border
A Changing Climate?
• EU Draft General Data Protection Regulation will tighten rules
• ABA Report and Resolution 103
• Sedona Conference – International Principles on Discovery, Disclosure
& Data Protection
• Respect, good faith, reasonableness, protective order, discovery
limited in scope, compliance with Data Protection obligations
• But…. Trueposition
Page 41
42. Data Protection, Privacy, Cross-Border
Trueposition – making a monkey of the cheese-eaters
• Trueposition, Inc. v. LM Ericsson Tel. Co
• ”Limited Jurisdictional discovery” sought in alleged anti-competitive
conduct case
• French Blocking Statute makes discovery unlawful
• Judge conducts Aérospatiale comity analysis
• No reference to ABA or Sedona initiatives
• Assumption that French will not enforce Blocking Statute
Page 42
DaleyIncumbent upon counsel to ensure US courts are apprised of any foreign law issues re discovery and/or privacy
Daley
Daley, Jaar, Quentin
Quentin
Chris
Chris
Daley
Daley
Daley
Daley with commentary by others
Daley, others
Daley, Quentin follow up
Daley, Quentin
Daley, Quentin follow
Daley, Quentin
Daley, Quentin
Quentin
Quentin
Quentin
Daley
DaleyIn 2011 we saw many countries establish or re-work existing privacy regimes. In sum, the minefield of international privacy laws grew denser. Mexico – July 2011“sensitive personal data:” data that may reveal information like racial or ethnic origin, health status and religious and moral beliefs—More restrictive than the broad “personal data” definitions seen in other actsSimilar to the directive in many respects, any transfer national or international, hinges on the consent of its data subject.” Exceptions: Some of the exceptions to Mexico’s consent requirement arise when the data transfer is pursuant to a treaty, where the transfer is necessary for health care purposes, where the transfer is made to subsidiaries, affiliates or parent companies of the data controller with the same processes and policies, and when necessary to safeguard public interestRussia – July 2011Russia’s reformed privacy laws still closely align with the strict privacy stance taken by European Union Data Protection Directive 95/46/EC (“the Directive”). Russia’s new statutory scheme permits uninhibited transfer to the EU. Additionally, similar to the need for “adequate” data protection in the Directive, Russia’s law empowers a special agency to determine whether the country’s data security procedures are sufficiently “adequate” to receive personal data from RussiaThe law imparts the Russian Federal Service for Oversight of Communications, Information Technology and Mass Media with the ability to authorize a list of state parties (non-members to the EU) with sufficient personal data protection to qualify to receive personal data.Personal data may be produced pursuant to a treaty or Russian federal law.China“Internet Information Services” defined as “service activities for the provision of information to Internet users over the Internet – it doesn’t operate on “processors” like so many others acts - Service providers must not use personal data without consent,not collect more than the minimum amount of personal information necessary to provide their service,must divulge the method, content and purpose of the collection to the users in express forms without disclosing any information to a third party absent users’ consentIt’s a different approach on protecting personal data. “the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
DaleyE-Discovery law in APAC is evolving at the speed of light, in large part due to high numbers of US companies doing business in the region – and needing to produce information in APAC in US litigation. In addition, companies based in APAC are increasingly being drug into US based litigation. Both of these items are influencing APAC discovery law. Much arbitration occurs in the region, and these matters do involve exchange of ESI.
U.K. Practice DirectionEnacted in 2010 applies to multi-track claims, or at the discretion of the judgeFor cases that trigger the application of the Practice Direction, more involved e-discovery guidelines applyDirection calls parties to “discuss the use of technology in the management of Electronic Documents” prior to the first Case Management Conference, in addition to the electronic information the parties have in their control, the scope of the search for relevant documents, preservation steps taken, cost-sharing and formats for exchanging documents. Some key features of the direction include: a welcome for parties considering keyboard, or tech-assisted review, provisions on how metadata should be handled, and as we discuss later on, a sample questionnaire designed to facilitate counsel communication, and provisions that emphasize that the reasonable search requirement encompasses notions of proportionality so often discussed in US E-discovery commentaryAims to prevent the need for court intervention and avoid penalties for adopting unreasonable approachesCM is an acronym for “Case Management” that is used to signal a section for case management related practice issues in the Practice Notes issued by the Chief Justice. Practice Note CM 6 refers to specifically refers to “Electronic technology in litigation.” Comment: What is included in CM-6 checklists? Required? Examples?Practice Note CM-6 contains two important checklists for practioners: the pre-discovery conference checklist and the pre-trial checklist. Here are the sections of the pre-discovery conference checklist—the areas upon which parties are to align strategies upon:Introduction (The court places an expectation on counsel that they have “considered the issues identified in this Checklist and to be in a position to inform the Court on how the issues are to be addressed prior to or at the first Directions hearing or case management conference”)Scope of discovery (Assess scope with a mind towards speed, costs, efficiency and relevency)Strategies for conducting a reasonable search Management of Electronic Documents (Strategize key stages of the EDRM: “identification, collection, processing, analysis, review and exchange of Electronic Documents)Preservation of Electronic Documents (What strategy will be implemented for preservation?)Timetable and Estimated Costs for Discovery (How much will it cost? How much time will it take?)Privilege (How will the parties grapple with documents flagged as privileged)Document Management Protocol (default, advanced, other?) Pre-Discovery Conference Attendees Areas of disagreement (Address the areas where parties cannot agree)Comment: Info/requirements of doc mgmt protocolsThe Default Document Management Protocol, triggered by expected discoverable documents between 200 and 5000, imposes very comprehensive default provisions. The Default Document Management Protocol describes specifically how documents should be exchanged between parties and to the court. Some types of information addressed contain: what information should be in document descriptions, default file types and other permissible options, procedures for redacting privileged documents and correcting errors, duties for managing de-duplicates, how to name files, and how to handle attachments.This default protocol can be opted out of pursuant to an advanced agreement, and should be If the expected discoverable documents exceeds 5000.Comment: What is included in UK questionnaire? Required? Examples?The UK Electronic Documents Questionnaire is vehicle designed to get information pertinent to e-disclosure exchanged between parties early on in litigation. While parties should consider employing it in any litigation, as it very well may reduce costs that arise down the road, its use is only required if the size or complexity of a case so mandates. The questionnaire can be found in Direction 31B.Examples of Topics covered, in Q & A format, include: Extent of a reasonable search (questions about custodians, dates, forms of documents and databases);Method of search (does counsel think that keywords should be used? Other automated techniques like concept searches?)